For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Secure Access to Web Applications with F5 and Okta using SAML 2.0 (2 of 2)

This article is the second in a two-part series.
Go to Part 1 here: Secure Access to Web Applications with F5 and Okta using SAML 2.0 (1 of 2)

Step 2: Configure F5 BIG-IP APM as SAML SP for the Application

Refer to the step by step instructions and screenshots below to configure F5 BIG-IP APM as SAML SA for a new application called app.f5sec.net.

2.1 Import Certificate for the Application

Import the certificate for app.f5sec.net. This certificate will be later referenced when configuring the application.

•   Log in to the F5 BIG-IP System.

•  On the F5 Configuration Utility (Web UI) Main menu, navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.

•   On the Traffic Certificate Management page, click the Import button on the right-hand corner.

•   On the SSL Certificate/Key Source page, select Key from the Import Type drop-down box.

•   Specify a Key Name and browse to the folder that contains the Key. After selecting the key file, click Import.

•   Back in the Traffic Certificate Management page, click on the imported Key name.

•   In the General Properties page, click on the Import button.

•   Browse to the folder that contains the Certificate. After selecting the certificate file, click Import.

Figure 9: Importing application certificate and key

2.2 Using Guided Configuration

The F5 BIG-IP APM Guided Configuration presents a completely new and streamlined user experience. This workflow-based architecture provides intuitive configuration steps tailored for a selected use case.

The steps below will walk through the Guided Configuration to build the application and configure F5 BIG-IP APM as SAML SP.

•   On the F5 Web UI Main menu, navigate to Access > Guided Configuration.

•   Click on the Federation tile. From the expanded option, click on the SAML Service Provider tile.

Figure 10: Guided configuration initial selection.

•   Take a moment to review the various configuration options on the SAML Service Provider page.

Figure 11: SAML Service Provider page

•   Satisfy any of the DNS, NTP, Interface, VLAN, Route, and Self IP configuration prerequisites from this initial configuration page.

•   Scroll down and click Next.

2.2.1 Configure Service Provider Properties

•   To configure these properties, follow the guidance below.

Figure 12: Sample ‘Service Provider Properties’ configuration.

•   Accept the remaining default entries and click Save & Next.

2.2.2 Configure Virtual Server Properties

•   To configure a virtual server for the app, follow these steps.

Figure 13: Sample ‘Virtual Server Properties’ configuration.

•   Click Save & Next.

2.2.3 Configure Okta Identity Provider Connector

•   To configure Okta as the external SAML IdP provider, follow the steps below.

Figure 14: Sample Okta IdP configuration.

•   Click Save & Next.

2.2.4 Create a Pool

•   To create a load balancing pool of application servers, follow the steps below.

Figure 15: Sample ‘Pool Properties’ configuration.

•   Click Save & Next.

2.2.5 Configure Single Sign-On Settings

•   To configure Okta as the external SAML IdP provided, follow the steps below.

Figure 16: Sample ‘Single Sign-on Settings’ configuration.

•   Click Save & Next.

2.2.6 Endpoint Checks

Select the Enable Endpoint Checks radio button to enable endpoint checks. For this demonstration, we will leave this setting at default.

Figure 17: 'Endpoint Checks Properties' page to enable and configure endpoint checks.

•   Click Save & Next.

2.2.7 Session Management

Leave the Timeout Settings at default.

Figure 18: Default timeout settings

•   Click Save & Next.

2.2.8 Summary

Review the Summary screen. When done, scroll down and click Deploy.

Figure 20: Confirmation of a successful deployment.

•  Click on the Finish button.

This completes the F5 BIG-IP APM configuration.

Step 3: Verification

We will verify the solution by accessing app.f5sec.net.

•   Open a web browser on an end host and navigate to https://app.f5sec.net. Notice the request will be redirected to Okta.com for user authentication.

Figure 21: Redirection to Okta for user authentication.

•   The application default web page prints all the headers. Notice that the HTTP_MYAUTHORIZATION header has been inserted with the appropriate value.

Figure 22: HTTP_MYAUTHORIZATION header inserted with user identity value.

 

Additional Resources

Part 1 - Secure Access to Web Applications with F5 and Okta using SAML 2.0

BIG-IP APM Product Information: Knowledge Center

Free Training Course: Getting Started with BIG-IP Access Policy Manager (APM)

Lightboard Lesson: F5 Access Policy Manager and Okta - Single Sign On and Multi-Factor Authentication

External Resource: F5 | Okta partnership

 

 

Published Apr 03, 2020
Version 1.0
BIG-IP Access Policy Manager (APM)
okta
saml
security
SSO
Srikanth7's avatar
Icon for Employee rankEmployee
I am a member of the F5 Corporate Business Development organization. I manage the technical aspects of a portfolio of security partnerships
View Profile
Srikanth7's avatar
Icon for Employee rankEmployee
I am a member of the F5 Corporate Business Development organization. I manage the technical aspects of a portfolio of security partnerships
View Profile
No CommentsBe the first to comment